Stripping expired subkey during export?
gnupg-users at spodhuis.org
Fri Mar 3 07:21:39 CET 2017
For certain exports of my PGP key, I want the key minimized and clean of
cruft; while the public keyservers will reaccumulate all signatures,
data-sources where "presence is trust" do not need everything else.
Smaller keys for DNS records, certain authenticated databases, etc.
I also recently updated my key 0x4D1E900E14C1CC04 to use sha256 for all
bindings (by doing a pref update).
gpg --export-options export-clean,export-minimal \
--export 0x4D1E900E14C1CC04 | gpg --list-packets | less
All but one signature is `digest algo 8`. One is still `digest algo 2`.
That's for keyid `A445DC2B1C5B7F39` which is _expired_.
gpg (GnuPG) 2.1.19
Why is `export-clean` not dropping the expired subkey? Is it that
export-clean only filters unusable userids, not unusable subkeys?
At this point, I'm not trying to remove the subkey because it's SHA1,
but because it has expired.
Since I already create a temp keyring (for export variants which drop
25519 sub-keys, to give to systems which break on those), I decided that
I could apply an import-filter on that, since sig_digest_algo is
import-only, so I used:
--import-filter drop-sig='sig_digest_algo < 8'
and then exported clean/minimal from there; but there's no change. This
import filter appears to do nothing.
Is this misunderstanding on my part, or a bug in GnuPG? If the former,
is there enough here to point to the flaw in my mental model, so that
someone can educate me please?
Is there a reason beyond "nobody asked for it yet" why there's no
"expired" filter for drop-subkey/drop-sig?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 996 bytes
Desc: Digital signature
More information about the Gnupg-users